Review for Package: ruby-webrick
[Summary]
WEBrick is an HTTP server toolkit that can be configured as an HTTPS server,
a proxy server and a virtual-host server.
It used to be provided with the standard library of the Ruby interpreter, and
has
been available as a standalone gem since ruby3.0.
MIR team ACK
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: ruby-webrick
Notes:
- The package should get a team bug subscriber before being promoted
[Duplication]
There is no other package in main providing the same functionality.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- checked with check-mir
- not listed in seeded-in-ubuntu
- none of the (potentially auto-generated) dependencies (Depends
and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard
- No vendoring used, all Built-Using are in main
Problems: None
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
Problems:
- does open a port/socket
- does not parse data formats
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- no new python2 dependency
Problems: None
[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
control (only one patch which is backported from upstream and will be
removed eventually)
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is slow
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-disabled list
Problems: None
[Upstream red flags]
OK:
TODO: - no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
tests)
- no use of user nobody
- use of setuid, but ok. The package provides an su(user) function in
lib/webrick/utils.rb
which makes use of setuid and setgid to change uid and gid of the process to
the ones of the
user. However this function is used to drop priviledges in case WEBrick is
started as one user
to gain permission to bind to port 80 or 443 (see lib/webrick.rb).
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case
Problems: None
** Changed in: ruby-webrick (Ubuntu Kinetic)
Assignee: Ioanna Alifieraki (joalif) => (unassigned)
** Changed in: ruby-webrick (Ubuntu Kinetic)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1975523
Title:
[MIR] Promote to main in Jammy and Kinetic
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ruby-webrick/+bug/1975523/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
